EWF RAM, manage memory consumption

Jump to:

Sponsored Links

Next

1. How to add/remove programsAnybody knows how to remove programs without an program uninstall command? I
have been looking for add/remove programs in control panel, but cant find
it.
Best regards...
Morten Hansen

2. Automatic logon does not logonHi,
I tried the Automatic logon on my dev. PC, and it works fine.
Now, I am trying it on the target machine, but there it does not logon
automatically, It still asks for user name and password as before, even if
Automatic Logon is used.
Why is this happening ?
Cato

3. ERROR - newsgroup server responded:No Such Article In GroupHi
Neary all messages in this newsgroup says:
"Error!
newsgroup server responded:No Such Article In Group
Perhaps the article has expired."
This has not happend before. I visit it almost every day.
Is this some error in my computer or in the newsgroup.
Lasse

EWF RAM, manage memory consumption

by Sm9obg » Thu, 19 Jan 2006 22:00:02 GMT

Hi
I have a CF card which I protect with EWF RAM mode. During 24 hours which
the computer has been idling ewf has consumed 5,25 MB of RAM. In my case the
system will run out of memory in 57 days. The system is handling mission
critical systems and must be running 24/7 for years. Rebooting is not an
option.
By using Filemon (excellent freeware from www.sysinternals.com), I can
monitor all disk access done by the system. I filtered out disk writes. Here
is a list of list of repeating disk writes done by the system:
System:4 C:\WINDOWS\system32\config\SYSTEM.LOG
System:4 C:\WINDOWS\system32\config\AppEvent.Evt
System:4 C:\$LogFile
System:4 C:\$Directory
System:4 C:\$Mft
svchost.exe:884 C:\WINDOWS\system32\config\SYSTEM.LOG
svchost.exe:884 C:\WINDOWS\system32wbem\Repository\FS\OBJECTS.DATA
svchost.exe:884 C:\WINDOWS\system32wbem\Repository\FS\MAPPING1.MAP
svchost.exe:884 C:\WINDOWS\system32wbem\Repository\FS\MAPPING2.MAP
svchost.exe:884 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
svchost.exe:884 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
svchost.exe:884 C:\$LogFile
winlogon.exe:484 C:\Documents and Settings\Administrator\ntuser.dat.LOG
winlogon.exe:484 C:\WINDOWS\system32\config\SOFTWARE.LOG
services.exe:528 C:\WINDOWS\system32\config\AppEvent.Evt
mqsvc.exe:412 C:\WINDOWS\system32\msmq\storage\MQInSeqs.lg1
mqsvc.exe:412 C:\WINDOWS\system32\msmq\storage\MQTrans.lg1
mqsvc.exe:412 C:\WINDOWS\system32\msmq\storage\QMLog
mqsvc.exe:412 C:\$LogFile
$LogFile, $Directory, $Mft I assume is a result of the other disk writes.
I need some suggestions as to how I can get rid of these disk writes.
Redirecting them is also an option IF the system will continue to work when
the place where the write is redirected to no longer is available. Ex.
harddrive which fails.
I'll appreciate any suggestions.
John
PS! I will not be able to reply in a couple of days

RE: EWF RAM, manage memory consumption

by Ks » Fri, 20 Jan 2006 08:33:05 GMT

By design, RAM-based EWF consumes part of the RAM equivalent to a disk
sector size for every *new* sector the OS or user writes to. There is no
way to eliminate *all* OS writes in particular writes to the NTFS
filesystem metadata files (those file names starting with the $ sign) and
especially if the user frequently interacts with the filesystem (creating,
deleting and accessing files). So it's normal for the system to
increasingly consume RAM when the OS partition is protected by RAM-based
EWF. At some point though, EWF memory consumption should stabilize and
should not increase in the same rate (or even at all) when the system was
initially deployed. Worst case scenario is when you have an app or service
that writes to every sector on the protected partition; in this case EWF
will consume a max memory amount equivalent to the size of the protected
partition. You won't usually hit the worst case scenario unless you have
such an app or service.

Here is a summary of things you can do to reduce writes to the protected
partition and consequently reducing memory consumption of EWF:

1. If you do large amounts of file operations (creation, deletion, etc), it
should be done on an unprotected partition.
2. Follow the guidelines in the XPe SP2 doc on how to improve EWF
performance:
http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp
/html/xeconewfperformanceconsiderations.asp. Very useful tips there about
how to relocate many of the system writes to a location other than the
protected partition.
3. Relocate user profiles to the unprotected partition:
http://support.microsoft.com/kb/314843
4. Re-consider using EWF on the devices. If EWF is absolutely needed,
consider using disk-based EWF where in this case writes to the protected
partition are redirected to the disk drive instead of RAM.
5. Investigate the memory consumption increase as it might be caused by
other app (theirs or 3rd party) or modules in the OS.
6. Use a pagefile on the unprotected partition, which will improve the
system memory management performance.
7. Format the protected partition with FAT instead of NTFS. FAT writes less
to its metadata.
8. Use regmon to find out who's exactly writing to the registry hives.
9. Increase the system RAM.

I hope the above helps

KS

This posting is provided "AS IS" with no warranties and confers no rights.
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20 By design, RAM-based EWF consumes part of the RAM equivalent to a disk sector size for every *new* sector the OS or user writes to. There is no way to eliminate *all* OS writes in particular writes to the NTFS filesystem metadata files (those file names starting with the $ sign) and especially if the user frequently interacts with the filesystem (creating, deleting and accessing files). So it's normal for the system to increasingly consume RAM when the OS partition is protected by RAM-based EWF. At some point though, EWF memory consumption should stabilize and should not increase in the same rate (or even at all) when the system was initially deployed. Worst case scenario is when you have an app or service that writes to every sector on the protected partition; in this case EWF will consume a max memory amount equivalent to the size of the protected partition. You won't usually hit the worst case scenario unless you have such

RE: EWF RAM, manage memory consumption

by Ks » Fri, 20 Jan 2006 08:48:54 GMT

If machines are never allowed to reboot, how will it be kept up-to-date
with the latest security updates? Even if it's designed to be running as
stand-alone, it's critical for these machines to be patched with the latest
security updates since some of the vulnerabilities can be exploited locally
at the console and not necessarily over the network. It's good idea to
schedule the reboot with the installation of the updates to reduce the
number of reboots. This way you ensure the systems are updated and the EWF
overlay cleared after reboot.
KS
This posting is provided "AS IS" with no warranties and confers no rights.
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20
\par If machines are never allowed to reboot, how will it be kept up-to-date with the latest security updates? Even if it's designed to be running as stand-alone, it's critical for these machines to be patched with the latest security updates since some of the vulnerabilities can be exploited locally at the console and not necessarily over the network. It's good idea to schedule the reboot with the installation of the updates to reduce the number of reboots. This way you ensure the systems are updated and the EWF overlay cleared after reboot.
\par
\par KS
\par
\par This posting is provided "AS IS" with no warranties and confers no rights.
\par
\par
\par }

Similar Threads:

Hi all,
I want to deploy one system based EWF with RAM Registry Overlay. 256M memory
Following the critical boot up time requirment, I have to choose hibernating
system instead of shutting down after all finished. Though I have redirected
most of system pathes and operations to one un-protected partition, I find
there are always minor increasing for the memory used for data(with command :
Ewfmgr -all), copying files to un-protected driver, open files and close
without any chances, etc. These increasments won't release even after
resuming form hibernation and keep conservation. It'll run out of all my
memory in one day.
Is there anybody has the solution on this scenario? Can I release the
possessive memory without rebooting or committing?
Thanks
Nightman

Hi anybody,
i looking for the link to the registry-hack for enabling ewf-ram manually.
I read that days before in this newgroup here, but me idiot had the option
enabled to kill newsgroup messages after five days...
Thanks in advance,
Sen

Dear all,
I have an embedded system with a CF drive partitioned into three
partitions, C:\ (protected), D:\ (unprotected) and a EWF partition. All
OS files and my custom software is installed and run from the protected
volume, C:\. Log data and other less important files go to the
unprotected volume D:\. I have been using EWF RAM mode for about a
month right now and am monitoring the memory usage via the task manager
closely. Also have IIS running and have a website running and a page
set to auto refresh every 10 seconds.
My question is, even though I have redirected the event log files and
internet temporary files to D:\, stop the OS updating the timestamp of
each file being acccessed, the RAM usage is still incrementing about 1
~ 2 Mb per day... Is it due to the refreshing of my custom website? I
am not sure why the OS still writes to RAM even though I have
redirected all the writes to D:\ from my custom apps.
Please advise. Thanks!

I have a XPe O.S using EWF RAM Mode on, and if I copy a file with 100
megabytes to the loacal disk C.
The 100 megabytes memory don't be freed for system after i delete this file
completely (not send to recycle bin)
Is this right for EWF RAM Mode?
I thinks that the occupied memory space should be freed for reusing after i
delete the file that occupy the memory.
Is this EWF Function's Problem?
Or maybe some command can help user to free the wasted memory space?
-----------------------------------------------------------------------------------
One of my customers hopes our thin client can runs right for weeks to
demonstrate some video by using their browser, but they get memory low
message after they run the video for hours.
I suggested the customer to reboot regular or add menory, but there avenue
expressly do not be a good solution that customer want.
Can some suggestion give me?
thanks very much~~~